Vulnerability Description
An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscribers in the body, allows downloading of a CSV data file with all subscriber data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Icegram | Email Subscribers \& Newsletters | < 3.4.8 |
Related Weaknesses (CWE)
References
- https://blog.threatpress.com/vulnerability-email-subscribers-plugin/Third Party Advisory
- https://wordpress.org/plugins/email-subscribers/#developersRelease Notes
- https://www.exploit-db.com/exploits/43872/ExploitThird Party AdvisoryVDB Entry
- https://blog.threatpress.com/vulnerability-email-subscribers-plugin/Third Party Advisory
- https://wordpress.org/plugins/email-subscribers/#developersRelease Notes
- https://www.exploit-db.com/exploits/43872/ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2018-6015?
CVE-2018-6015 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in the "Email Subscribers & Newsletters" plugin before 3.4.8 for WordPress. Sending an HTTP POST request to a URI with /?es=export at the end, and adding option=view_all_subscr...
How severe is CVE-2018-6015?
CVE-2018-6015 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-6015?
Check the references section above for vendor advisories and patch information. Affected products include: Icegram Email Subscribers \& Newsletters.